Is It Safe to Store Passwords in the Cloud?

Below:

Next story in Security

When the online shoe retailer Zappos suffered a data breach
recently, the company sent out emails to millions of customers
and recommended that each change his or her Zappos account
password as soon as possible to protect their personal
information.

The emails highlighted the fact that a password is often the
first line of defense when it comes to protecting any type of
personal data. The general rule of thumb is to have a
unique password for every account that requires one.

But since it seems every place you do business online —or indeed
every site you visit —requires you to have a password, that
quickly adds up to a lot of passwords. It's tough enough to try
to remember
two or three different passwords, let alone 50.

Sky computing

Enter the "cloud" —the vast array of storage servers and
processors on the Internet, basically —to help with
password management.

"Consumers store passwords in the cloud to aid in their
password-security-management practices," said Ashley Podhradsky,
assistant professor of computing and security technology at
Drexel University in Philadelphia. "It's not uncommon for
consumers to have dozens of passwords to memorize, and as a
result, they often use the
same password for all of their accounts."

Using the same password for different accounts can lead to
cascading security failures, because it takes only one company to
suffer a data breach for all the other accounts to be compromised
as well.

Hence, many security experts advocate using password-management
applications, which can store and remember users' passwords for
them. The user needs to remember only his or her
"master" password, which some applications can generate. And
many password-management applications are moving their services
to the cloud.

"When consumers adopt a password-management application,"
Podhradsky said, "they can use a password generator to create
strong passwords that can then be stored in the cloud."

The benefit of storing passwords in the cloud, said Morgan Slain,
CEO of SplashData, a Los Gatos, Calif.-based maker of
productivity apps for mobile platforms, is the convenience of
being able to access your data anytime, anywhere, from any
device.

But, Slain pointed out, whenever information is stored on a
server connected to the Internet, there is some inherent risk
that your data will be lost or compromised.

Storing passwords in the cloud introduces a
single point of failure. If the location of the password has
been breached, someone has it and will try to use it at other
sites. If the password is used repeatedly, it could mean a lot of
lost data —or worse.

Trade-off

So should you ever store your password on a website or in the
cloud? It depends on your individual circumstances.

"You need to weigh the trade-off between convenience and
security," Slain said. "If you need to be able to access your
information from a number of different browsers on different
types of devices, storing passwords in the cloud can be a good
option."

"When consumers store passwords in the cloud, they are addressing
two of the most critical flaws in passwords management: weak
passwords and reusing passwords," Podhradsky added. "Using a
password generator to create strong, unique passwords that are
not susceptible to common attacks, and storing them in a secure
cloud password-management system allows consumers to better
protect their data and personal information."

But if you really want to store your passwords in the cloud so
they are accessible wherever you are, there are safe ways to do
it.

"There are several free and commercial cloud password-management
systems that allow consumers to create and store passwords
securely, along with logging into websites with a single click,"
Podhradsky said.

"KeePass and LastPass are both free solutions, and 1Password is a
great commercial application that will create and store strong
passwords in the cloud," she said. "When looking for a solution
for you, ensure it is not platform-dependent and can be
implemented with portable devices."